Security in Fixed and Wireless Networks

About the authors xiii Preface to the second edition xv Preface to the first edition xvii I Foundations of Data Security Technology 1 1 Introduction 3 1.1 Content and Structure of this Book 4 1.2 Threats and Security Goals 6 1.3 Network Security Analysis 9 1.4 Information Security Measures 13 1.5 Important Terms Relating to Communication Security 14 2 Fundamentals of Cryptology 17 2.1 Cryptology, Cryptography and Cryptanalysis 17 2.2 Classification of Cryptographic Algorithms 18 2.3 Cryptanalysis 19 2.4 Estimating the Effort Needed for Cryptographic Analysis 21 2.5 Characteristics and Classification of Encryption Algorithms 23 2.6 Key Management 25 2.7 Summary 27 2.8 Supplemental Reading 28 2.9 Questions 29 3 Symmetric Cryptography 31 3.1 Encryption Modes of Block Ciphers 31 3.2 Data Encryption Standard 37 3.3 Advanced Encryption Standard 43 3.4 RC4 Algorithm 48 3.5 The KASUMI algorithm 51 3.6 Summary 53 3.7 Supplemental Reading 54 3.8 Questions 55 4 Asymmetric Cryptography 57 4.1 Basic Idea of Asymmetric Cryptography 57 4.2 Mathematical Principles 60 4.3 The RSA Algorithm 69 4.4 The Problem of the Discrete Logarithm 71 4.5 The Diffie Hellman Key Exchange Algorithm 75 4.6 The ElGamal Algorithm 77 4.7 Security of Conventional Asymmetric Cryptographic Schemes 80 4.8 Principles of Cryptography Based on Elliptic Curves 81 4.9 Summary 93 4.10 Supplemental Reading 94 4.11 Questions 95 5 Cryptographic Check Values 97 5.1 Requirements and Classification 97 5.2 Modification Detection Codes 99 5.3 Message Authentication Codes 112 5.4 Message Authentication Codes Based on MDCs 116 5.5 Authenticated Encryption 117 5.6 Summary 121 5.7 Supplemental Reading 122 5.8 Questions 123 6 Random Number Generation 125 6.1 Random Numbers and Pseudo-Random Numbers 125 6.2 Cryptographically Secure Random Numbers 126 6.3 Statistical Tests for Random Numbers 128 6.4 Generation of Random Numbers 129 6.5 Generating Secure Pseudo-Random Numbers 130 6.6 Implementation Security 133 6.7 Summary 134 6.8 Supplemental Reading 135 6.9 Questions 136 7 Cryptographic Protocols 137 7.1 Properties and Notation of Cryptographic Protocols 137 7.2 Data Origin and Entity Authentication 139 7.3 Needham Schroeder Protocol 143 7.4 Kerberos 147 7.5 International Standard X.509 155 7.6 Security of Negotiated Session Keys 160 7.7 Advanced Password Authentication Methods 161 7.8 Formal Validation of Cryptographic Protocols 166 7.9 Summary 176 7.10 Supplemental Reading 177 7.11 Questions 178 8 Secure Group Communication* 179 8.1 Specific Requirements for Secure Group Communication 179 8.2 Negotiation of Group Keys 181 8.3 Source Authentication 189 8.4 Summary 193 8.5 Supplemental Reading 194 8.6 Questions 194 9 Access Control 197 9.1 Definition of Terms and Concepts 197 9.2 Security Labels 199 9.3 Specification of Access Control Policies 201 9.4 Categories of Access Control Mechanisms 202 9.5 Summary 204 9.6 Supplemental Reading 204 9.7 Questions 205 II Network Security 207 10 Integration of Security Services in Communication Architectures 209 10.1 Motivation 209 10.2 A Pragmatic Model 211 10.3 General Considerations for the Placement of Security Services 213 10.4 Integration in Lower Protocol Layers vs Applications 216 10.5 Integration into End Systems or Intermediate Systems 217 10.6 Summary 219 10.7 Supplemental Reading 219 10.8 Questions 219 11 Link Layer Security Protocols 221 11.1 Virtual Separation of Data Traffic with IEEE 802.1Q 222 11.2 Securing a Local Network Infrastructure Using IEEE 802.1X 224 11.3 Encryption of Data Traffic with IEEE 802.1AE 226 11.4 Point-to-Point Protocol 228 11.5 Point-to-Point Tunneling Protocol 236 11.6 Virtual Private Networks 242 11.7 Summary 243 11.8 Supplemental Reading 245 11.9 Questions 246 12 IPsec Security Architecture 249 12.1 Short Introduction to the Internet Protocol Suite 249 12.2 Overview of the IPsec Architecture 253 12.3 Use of Transport and Tunnel Modes 261 12.4 IPsec Protocol Processing 263 12.5 The ESP Protocol 267 12.6 The AH Protocol 273 12.7 The ISAKMP Protocol 279 12.8 Internet Key Exchange Version 1 286 12.9 Internet Key Exchange Version 2 293 12.10 Other Aspects of IPsec 297 12.11 Summary 299 12.12 Supplemental Reading 300 12.13 Questions 301 13 Transport Layer Security Protocols 303 13.1 Secure Socket Layer 303 13.2 Transport Layer Security 315 13.3 Datagram Transport Layer Security 322 13.4 Secure Shell 323 13.5 Summary 332 13.6 Supplemental Reading 333 13.7 Questions 334 III Secure Wireless and Mobile Communications 335 14 Security Aspects of Mobile Communication 337 14.1 Threats in Mobile Communication Networks 337 14.2 Protecting Location Confidentiality 338 14.3 Summary 343 14.4 Supplemental Reading 343 14.5 Questions 343 15 Security in Wireless Local Area Networks 345 15.1 The IEEE 802.11 Standard for WLANs 345 15.2 Entity Authentication 347 15.3 Wired Equivalent Privacy 353 15.4 Robust Secure Networks 358 15.5 Security in Public WLANs 365 15.6 Summary 367 15.7 Supplemental Reading 368 15.8 Questions 369 16 Security in Mobile Wide-Area Networks 371 16.1 Global System for Mobile Communication 371 16.2 Universal Mobile Telecommunications System 378 16.3 Long-Term Evolution385 16.4 Summary 389 16.5 Supplemental Reading 390 16.6 Questions 391 IV Protecting Communications Infrastructures 393 17 Protecting Communications and Infrastructure in Open Networks 395 17.1 Systematic Threat Analysis 396 17.2 Security of End Systems 399 17.3 Summary 411 17.4 Supplemental Reading 411 17.5 Questions 412 18 Availability of Data Transport 413 18.1 Denial-of-Service Attacks 413 18.2 Distributed Denial-of-Service Attacks 420 18.3 Countermeasures 422 18.4 Summary 433 18.5 Supplemental Reading 434 18.6 Questions 435 19 Routing Security 437 19.1 Cryptographic Protection of BGP 441 19.2 Identification of Routing Anomalies* 450 19.3 Summary 455 19.4 Supplemental Reading 456 19.5 Questions 457 20 Secure Name Resolution 459 20.1 The DNS Operating Principle 459 20.2 Security Objectives and Threats 461 20.3 Secure Use of Traditional DNS 467 20.4 Cryptographic Protection of DNS 469 20.5 Summary 481 20.6 Supplemental Reading 482 20.7 Questions 483 21 Internet Firewalls 485 21.1 Tasks and Basic Principles of Firewalls 485 21.2 Firewall-Relevant Internet Services and Protocols 487 21.3 Terminology and Building Blocks 490 21.4 Firewall Architectures 491 21.5 Packet Filtering 495 21.6 Bastion Hosts and Proxy Servers 500 21.7 Other Aspects of Modern Firewall Systems 502 21.8 Summary 503 21.9 Supplemental Reading 504 21.10 Questions 505 22 Automated Attack Detection and Response 507 22.1 Operating Principle and Objectives of Intrusion Detection Systems 508 22.2 Design and operation of network-based IDSs 512 22.3 Response to Attacks and Automatic prevention 521 22.4 Techniques for Evading NIDSs 524 22.5 Summary 526 22.6 Supplemental Reading 527 22.7 Questions 528 23 Management of Complex Communication Infrastructures* 529 23.1 Automatic Certificate Management 529 23.2 Automatic VPN Configuration 536 23.3 Summary 550 23.4 Supplemental Reading 552 23.5 Questions 554 Bibliography 555 Abbreviations 585 Index 595